SVP, Information Security, Risk & Compliance

Position Summary

The Senior Vice President, Information Security, Risk & Compliance serves as the global enterprise authority for technology risk management, security governance, regulatory compliance, and internal audit across The Fedcap Group.

This role designs and governs the organization’s security and risk framework while leading internal audit functions related to information technology and control effectiveness. The SVP ensures that enterprise controls are well-designed, independently assessed, and continuously improved to support scalable growth, regulatory integrity, and acquisition readiness. It recognizes that governance is not merely regulatory compliance — it is a mechanism to protect the communities we serve, safeguard entrusted resources, and ensure sustainable impact.

Reporting to the CIO, this executive partners closely with Finance, Legal, Infrastructure, Systems, Data, and operating leadership to maintain strong enterprise assurance and risk discipline.

This is a remote position working east coast hours.

Compensation $180,000 to $230,000 plus Performance bonus potential.

Mission

To establish and sustain an enterprise-grade security, risk, compliance, and internal assurance framework that protects the organization, strengthens accountability, reduces risk exposure, and supports sustainable growth as the enterprise scales.

Scope of Accountability

• Security framework selection and governance such as SOC 2 Type II, ISO 27001, HIPAA, NIST-aligned controls, GDPR, Essentials 8 and PIPEDA
• Enterprise IT risk management methodology and risk posture oversight
• Regulatory compliance alignment and audit interface
• Control design standards across infrastructure, systems, identity, and data
• Identity and access governance standards
• Data classification and information protection standards
• Security architecture standards
• AI governance standards
• Exception management and risk acceptance governance
• Ownership of enterprise IT internal audit planning and execution
• Oversight of control testing and independent assurance activities
• Privacy governance in coordination with Legal and Compliance
• Enterprise security reporting to executive leadership

Core Responsibilities

Enterprise Security & Risk Governance

• Design and maintain enterprise information security control frameworks.
• Define security policy architecture and cross-domain control requirements.
• Establish enterprise risk taxonomy and risk scoring methodology.
• Oversee risk register governance and risk reporting cadence.

Regulatory & Compliance Oversight

• Lead alignment with selected security frameworks.
• Serve as primary executive interface for external auditors and assessors.
• Ensure audit readiness and evidence governance discipline.
• Monitor regulatory changes and assess enterprise impact.
• Lead and manage the enterprise IT internal audit function.
• Develop and execute risk-based internal audit plans aligned to enterprise priorities.
• Conduct independent assessment of control effectiveness across infrastructure, systems, identity, data, and vendor governance.
• Oversee testing of key controls supporting internal audits and the implemented security and compliance frameworks.
• Present internal audit findings, risk assessments, and remediation status to executive leadership.
• Ensure timely and effective corrective action tracking.
• Strengthen enterprise control maturity through continuous assurance cycles.

Internal Audit & Assurance Leadership

Control Design & Assurance

• Define control design standards for Identity & access management, Data classification & retention, Logging and monitoring standards, Vendor risk management, etc.
• Oversee control testing and assurance coordination.
• Maintain separation between control design and control operation.

Enterprise Risk Advisory

• Provide risk advisory input for RFP technology commitments, M&A due diligence reviews, Vendor governance and financial exposure, AI and automation adoption
• Present risk posture and mitigation strategy to executive leadership.

Vendor & Third-Party Risk

• Define vendor risk assessment standards.
• Establish due diligence criteria for security and privacy.
• Oversee security risk review of acquisition targets.

Governance Maturity Advancement

• Mature predictive risk dashboards.
• Mature advanced risk analytics.
• Align governance model with enterprise growth strategy.

Qualifications

Professional Experience

• 10+ years of progressive leadership in information security, risk management, and compliance

• Demonstrated experience leading SOC 2, ISO 27001, HIPAA, or equivalent frameworks

• Direct experience leading or managing internal audit or control assurance programs

• Experience designing enterprise control frameworks across distributed organizations

• Proven executive communication and board-facing experience

• Experience supporting acquisitions and regulatory diligence

• Relevant certifications preferred (CISSP, CISM, CRISC, CIA, ISO Lead Implementer, etc.)

Leadership Profile

The ideal candidate will:

• Operate with strong executive presence
• Balance risk rigor with business enablement
• Establish independence in assurance without disrupting operations
• Build credibility across technical and non-technical leaders
• Strengthen internal audit maturity alongside security governance
• Demonstrates a strong commitment to the organization’s mission and understands the role of governance in protecting vulnerable populations and stewarding public trust.
• Leads with integrity, transparency, and service-oriented values.

Success Metrics (First 12 Months)

• Successful completion of required external audits (SOC 2 / ISO / HIPAA as applicable) with no material control deficiencies.

• Enterprise IT internal audit program formally established and risk-based audit plan executed.

• Enterprise risk register implemented with quarterly executive reporting cadence.

• Identity, data classification, and core security governance standards formally adopted and operationalized.

• Security, risk, compliance, and internal audit team structure evaluated and strengthened, including clear role definition, performance expectations, and hiring to address critical capability gaps.